It is essential for healthcare organizations to maintain a response plan for adverse events. There are certain steps and actions that must take place for an effective response.

  • Develop adverse event response teams.
  • Plan for a wide range of adverse events.
  • Preserve documentation and other evidence.

Adverse events happen without warning, yet they require a carefully planned response to minimize damage and facilitate the most effective follow-up investigation. Facilities should plan now for how to respond to an unexpected death, a serious accident, or potential malpractice.

It is critical to prepare an adverse event plan so that the response is not cobbled together in the heat of the moment, when emotions are running high, says Susan L. Montminy, MPA, RN, BSN, CPHRM, CPPS, TeamSTEPPS Master Trainer, manager in risk management with Coverys, a liability insurer in East Greenwich, RI.

The plan should include rapid assembly of a multidisciplinary adverse event response team when the situation warrants, she says. The event will dictate who should be involved in the response, but typically the team will include clinical leaders and administrators, and it may include biomedical engineers, facilities management, security, or others.

“It begins at the top with a commitment from leadership that support and guidance is available 24 hours a day, when a single clinician is faced with an adverse event,” Montminy says. “This is key to reducing potential fallout and additional risk. It’s not enough to have this great team of people ready to respond during regular business hours, because that’s not the only time adverse events occur.”

Risk managers will play key roles in any adverse event response. Montminy says they should be “calm voices on the other end of the phone line as a crisis is unfolding.” They should quickly ask the right questions, drawing out the information most necessary in the initial moments to determine the scale of the problem and the appropriate response, she says.

“Fear is always present. You must factor that into your plan, and be ready to acknowledge and address the emotions that you are going to encounter in these situations,” she says.

Many Different Events

Because adverse events can take many forms, risk managers should develop more than one type of response plan, says Heather Macre, JD, director with Fennemore Craig in Phoenix. A good plan starts with a risk assessment, steps to reduce or mitigate those risks, and staff education. Plans should be flexible and consider the particular needs of the practice, its patients, and practitioners, Macre says.

“The biggest thing is to have a plan in place and to update it periodically. Create a culture of accountability,” she explains. “You should also make sure that everyone knows the basics of the plan and how to execute it, as well as where to find a copy of the plan. There should be regular and specific training as to what to do in emergent situations of different types.”

The immediate response should focus on the safety of patients and staff, Macre says. Certain events, such as ransomware attacks that affect patient records or systems, require reporting. The quicker an incident is reported, the better the outcome in many cases.

Longer-term goals should include crisis communications to reassure patients and staff, a review of how a plan was implemented, and what can be improved, Macre notes.

“There are lots of pitfalls, but the most common is either not having an adequate plan, failing to update a plan, or not educating staff as to the contents of a plan,” she says. “Evidence preservation is crucial. All computer systems should be backed up, and offsite backup is extremely useful if there is a fire or natural disaster.”

Document Carefully

Safely document as much as possible at the time of occurrence, she says. Take photos, write down thoughts and observations, and interview witnesses as appropriate, she advises.

“Certain events, such as an outbreak of infectious disease or a cyberattack, require both state and local reporting. Consult counsel immediately as they can help you report the incident to the right people,” Macre says. “Also, do not forget to call the police or FBI as needed. I have seen incidents where the authorities were not called until after the event, which hampers investigations.”

The foundation of any plan for responding to an adverse hospital event must be the need for a rapid response, says David Richman, JD, partner with Rivkin Radler in Uniondale, NY. Risk management should visit the scene of the incident — the floor, the procedure room, ICU, radiology department — prepared to conduct what amounts to a triage of the incident, Richman says. In that regard, it is advisable for the risk manager to create a checklist that should be implemented immediately after notification of an incident, Richman says. (See article in this issue for Richman’s suggested checklist.)

The longer-term response should require maintenance of all records related to the incident in a secure location to ensure the records remain unchanged from the date of the incident, Richman says. Similarly, any equipment involved should be kept in a safe and secure location until any state investigation is complete or any litigation that may arise has been resolved.

Richman stresses that no member of management or anyone involved with the incident can be permitted to “manage” the situation by coercing people, encouraging a unified story, or pressing staff to alter recollections of events.

“Similarly, staff should not be encouraged to add or alter notes in the chart in order to offer a description of events that may better serve the facility’s defense. Additionally, should equipment be involved, it should not be subject to repair or alteration in response to the incident,” Richman says. “Such conduct, conduct intended to change the narrative, will be deemed a cover-up and will be far more difficult for the facility to defend than defending the truth of what occurred.”

It is important to note that adverse event responses include a wide range of events, and planned responses will vary widely, says Kerin Torpey Bashaw, MPH, BSN, RN, senior vice president in the Department of Patient Safety & Risk Management with The Doctors Company, a liability insurer based in Napa, CA. An adverse event is an incident that has caused or could have caused harm to a patient because of medical care, she says.

There are minor variations in classification between organizations. Guidance for immediate and long-term response to adverse events comes from a variety of sources, including the Department of Health and Human Services through the Conditions of Participation for Medicare and Medicaid, accreditation bodies such as The Joint Commission, and state departments of public health, she notes.

Organizations are required to create policies and procedures that meet requirements for their state and/or accrediting body. There are some requirements for mandatory reporting to the state and organization with specific time frames, Torpey Bashaw says. If mandated reporting does not occur, some states will impose daily financial fines on the organization for failure to report an event within the time frame, she notes.

As 24 states have enacted mandatory requirements for reporting adverse events meeting specific criteria, a clear organizational policy is required to quickly identify and respond to serious clinical risk and adverse events, Torpey Bashaw says.

“All areas that provide clinical care need to have policies and procedures clearly outlining the response, escalation, and resolution process for adverse events. Plans also should include a standard process and timelines to complete an investigation and/or root cause analysis for the event, presenting findings to leadership for resolution and monitoring,” she says. “Plans also should include provisions for tracking and trending data related to incidents and events to make sure corrective action plans are effective and new risks do not emerge.”

Individuals at all levels of the organization should be familiar with the process for identification and reporting or escalating adverse events up the chain of command until the event has been stabilized or resolved, Torpey Bashaw says. Staff are responsible for continually escalating up the chain of command until stabilization and/or resolution has occurred, she says.

Significant or never events should be immediately reported verbally up the administrative chain for instant response to limit any further harm and to inform the patient and family of the event facts, she says. The risk manager should be notified verbally as soon as possible, and support the communication process with the patient.

Preservation of evidence and documentation should occur right away, but Torpey Bashaw notes this often does not happen when individuals are unaware of the requirement to preserve and lock down space and documentation to protect facts that will serve in the root cause analysis.

“Supplies, equipment, and space should not be touched after an event until an administrative leader or risk manager comes to the space to assess, sequester, and preserve appropriate items and document. Paper and nondigital documents should be taken into custody and copied to preserve original integrity,” she says. “Digital documents are timestamped and can be tracked using an audit feature. All of this information should be used during the comprehensive investigation.”


  • Heather Macre, JD, Director, Fennemore Craig, Phoenix. Phone: (602) 916-5396. Email: hmacre@fclaw.com.
  • Susan L. Montminy, MPA, RN, BSN, CPHRM, CPPS, TeamSTEPPS Master Trainer, Manager, Risk Management, Coverys, East Greenwich, RI. Phone: (800) 225-6168. Email: coverys@pancomm.com.
  • David Richman, JD, Partner, Rivkin Radler, Uniondale, NY. Phone: (516) 357-3120. Email: david.richman@rivkin.com.
  • Kerin Torpey Bashaw, MPH, BSN, RN, Senior Vice President, Department of Patient Safety & Risk Management, The Doctors Company, Napa, CA. Phone: (707) 226-0291. Email: kerin.bashaw@thedoctors.com.